Methods and apparatus are provided for securing two-party computations against malicious adversaries. A method is provided for secure function evaluation. The disclosed method is performed by a garbled circuit evaluator for the transfer of private information, and comprises receiving from a constructor (i) s garbled circuits (GCs), wherein each of the GCs having a plurality of input wires; and (ii) commitments for each of the input wires, wherein the commitments comprise s2 pair-wise cryptographic bindings of wire garblings of each given wire in the s GCs; requesting the constructor to reveal a selected check-set of s/2 of the s GCs; and verifying that the check-set was properly constructed using less than all of the commitments. In addition, the disclosed method optionally comprises the step of evaluating the remaining GCs that were not in the check-set.
Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method of secure function evaluation performed by a garbled circuit evaluator for the transfer of private information, comprising: receiving from a constructor (i) s garbled circuits (GCs), wherein each of said GCs has a plurality n of input wire indices; and (ii) commitments of pairs of input wires corresponding to the same input for each of said n input wire indices of each of said GCs, wherein said commitments comprise pair-wise cryptographic bindings of wire garblings of each given wire index in the s GCs with less than all possible pairs of said given wire index and s−1 other input wires of the same index in the s GCs; requesting said constructor to reveal a selected check-set of s/2 of said s GCs; and verifying that said check-set was properly constructed using less than all of said commitments.
A method for secure function evaluation, performed by a "garbled circuit evaluator" for transferring private information, involves receiving from a "constructor" a set of 's' garbled circuits (GCs), each having 'n' input wires. The method also receives commitments for pairs of input wires corresponding to the same input across the 's' GCs. These commitments are pair-wise cryptographic bindings of wire garblings, but do NOT include bindings for every possible pair of wires. The method then requests the constructor to reveal a check-set containing s/2 of the 's' GCs, and verifies that this check-set was properly constructed using the received commitments.
2. The method of claim 1 , further comprising the step of evaluating the remaining GCs that were not in said check-set.
The secure function evaluation method described above, performed by a garbled circuit evaluator for transferring private information, involves receiving from a constructor a set of 's' garbled circuits (GCs), each having 'n' input wires, and commitments for pairs of input wires corresponding to the same input across the 's' GCs (pairwise cryptographic bindings of wire garblings, but not for every possible pair). The constructor is requested to reveal a check-set of s/2 of the GCs, which is verified using the commitments. The method further includes evaluating the remaining GCs that were *not* included in the check-set.
3. The method of claim 1 , wherein said commitments comprise a binding of corresponding garblings for each input wire i, of each given circuit C, each bit-value b, and for each pair of generated GCs, GC j and GC j′ .
In the secure function evaluation method performed by a garbled circuit evaluator for transferring private information, which involves receiving 's' garbled circuits (GCs) and commitments for pairs of input wires, where a check-set of s/2 GCs is revealed and verified, the commitments bind corresponding garblings for each input wire 'i' of each given circuit 'C', for each bit-value 'b', and for each pair of generated GCs, GC 'j' and GC 'j′'. This means the commitments ensure consistency of the garbled wire values across different circuits for the same input and bit value.
4. The method of claim 1 , wherein a response to said requesting step comprises commitments that are wholly inside said check-set.
In the secure function evaluation method performed by a garbled circuit evaluator for transferring private information, which involves receiving 's' garbled circuits (GCs) and commitments for pairs of input wires, where a check-set of s/2 GCs is revealed and verified, the constructor's response to the request to reveal the check-set includes commitments that are entirely *within* the revealed check-set. That is, the revealed commitments only relate to the garbled circuits included in the check-set.
5. The method of claim 1 , wherein, for a given circuit I, the commitment to a given pair (I,J) is opened only if circuit J is in the same set as I.
In the secure function evaluation method performed by a garbled circuit evaluator for transferring private information, which involves receiving 's' garbled circuits (GCs) and commitments for pairs of input wires, where a check-set of s/2 GCs is revealed and verified, the commitment to a given pair of circuits (I, J) is "opened" (revealed and used for verification) *only* if circuit J is in the same set as circuit I. This means a commitment is only revealed if both circuits it relates to are either both in the check-set or both outside the check-set.
6. The method of claim 1 , wherein said pair-wise cryptographic bindings comprise commitments for half of said pairs of n input wires.
In the secure function evaluation method performed by a garbled circuit evaluator for transferring private information, which involves receiving 's' garbled circuits (GCs) and commitments for pairs of input wires, where a check-set of s/2 GCs is revealed and verified, the cryptographic bindings established by the commitments cover exactly half of all possible pairs of the 'n' input wires.
7. A system for secure function evaluation performed by a garbled circuit evaluator for the transfer of private information, comprising: a memory; and at least one processor, coupled to the memory, operative to: receive from a constructor (i) s garbled circuits (GCs), wherein each of said GCs has a plurality n of input wire indices; and (ii) commitments of pairs of input wires corresponding to the same input for each of said n input wire indices of each of said GCs, wherein said commitments comprise pair-wise cryptographic bindings of wire garblings of each given wire index in the s GCs with less than all possible pairs of said given wire index and s−1 other input wires of the same index in the s GCs; request said constructor to reveal a selected check-set of s/2 of said s GCs; and verify that said check-set was properly constructed using less than all of said commitments.
A system for secure function evaluation, using a garbled circuit evaluator to transfer private information, includes a memory and a processor. The processor is configured to receive from a "constructor" a set of 's' garbled circuits (GCs), each with 'n' input wires. It also receives commitments for pairs of input wires corresponding to the same input across the 's' GCs. These commitments are pair-wise cryptographic bindings of wire garblings, but do NOT include bindings for every possible pair of wires. The processor requests the constructor to reveal a check-set of s/2 of the 's' GCs, and verifies that this check-set was properly constructed using the received commitments.
8. The system of claim 7 , wherein said processor is further configured to evaluate the remaining GCs that were not in said check-set.
The secure function evaluation system described above, which receives 's' garbled circuits (GCs) and commitments, requests a check-set of s/2 GCs, and verifies it, is further configured such that the processor evaluates the remaining GCs that were *not* in the revealed check-set.
9. The system of claim 7 , wherein said commitments comprise a binding of corresponding garblings for each input wire i, of each given circuit C, each bit-value b, and for each pair of generated GCs, GC j and GC j′ .
In the secure function evaluation system, which receives 's' garbled circuits (GCs) and commitments, requests a check-set of s/2 GCs, and verifies it, the commitments bind corresponding garblings for each input wire 'i' of each given circuit 'C', for each bit-value 'b', and for each pair of generated GCs, GC 'j' and GC 'j′'. This means the commitments ensure consistency of the garbled wire values across different circuits for the same input and bit value.
10. The system of claim 7 , wherein a response to said request comprises commitments that are wholly inside said check-set.
In the secure function evaluation system, which receives 's' garbled circuits (GCs) and commitments, requests a check-set of s/2 GCs, and verifies it, the constructor's response to the request to reveal the check-set includes commitments that are entirely *within* the revealed check-set. The revealed commitments relate only to the garbled circuits included in the check-set.
11. The system of claim 7 , wherein, for a given circuit I, the commitment to a given pair (I,J) is opened only if circuit J is in the same set as I.
In the secure function evaluation system, which receives 's' garbled circuits (GCs) and commitments, requests a check-set of s/2 GCs, and verifies it, the commitment to a given pair of circuits (I, J) is "opened" (revealed and used for verification) *only* if circuit J is in the same set as circuit I. This means a commitment is only revealed if both circuits it relates to are either both in the check-set or both outside the check-set.
12. An article of manufacture for secure function evaluation performed by a garbled circuit evaluator for the transfer of private information, said article of manufacture comprising a machine readable recordable non-transitory medium containing one or more programs which when executed implement the steps of: receiving from a constructor (i) s garbled circuits (GCs), wherein each of said GCs has a plurality n of input wire indices; and (ii) commitments of pairs of input wires corresponding to the same input for each of said n input wire indices of each of said GCs, wherein said commitments comprise pair-wise cryptographic bindings of wire garblings of each given wire index in the s GCs with less than all possible pairs of said given wire index and s−1 other input wires of the same index in the s GCs; requesting said constructor to reveal a selected check-set of s/2 of said s GCs; and verifying that said check-set was properly constructed using less than all of said commitments.
A non-transitory machine-readable medium stores programs for secure function evaluation. The program, when executed, causes a garbled circuit evaluator to transfer private information by receiving from a "constructor" 's' garbled circuits (GCs), each with 'n' input wires. It also receives commitments for pairs of input wires corresponding to the same input across the 's' GCs. These commitments are pair-wise cryptographic bindings of wire garblings, but do NOT include bindings for every possible pair of wires. The program then requests the constructor to reveal a check-set of s/2 of the 's' GCs, and verifies that this check-set was properly constructed using the received commitments.
13. The article of manufacture of claim 12 , further comprising the step of evaluating the remaining GCs that were not in said check-set.
The article of manufacture for secure function evaluation described above, which receives 's' garbled circuits (GCs) and commitments, requests a check-set of s/2 GCs, and verifies it, further causes the system to evaluate the remaining GCs that were *not* in the revealed check-set.
14. The article of manufacture of claim 12 , wherein said commitments comprise a binding of corresponding garblings for each input wire i, of each given circuit C, each bit-value b, and for each pair of generated GCs, GC j and GC j′ .
In the article of manufacture for secure function evaluation, which receives 's' garbled circuits (GCs) and commitments, requests a check-set of s/2 GCs, and verifies it, the commitments bind corresponding garblings for each input wire 'i' of each given circuit 'C', for each bit-value 'b', and for each pair of generated GCs, GC 'j' and GC 'j′'. This means the commitments ensure consistency of the garbled wire values across different circuits for the same input and bit value.
15. The article of manufacture of claim 12 , wherein a response to said requesting step comprises commitments that are wholly inside said check-set.
In the article of manufacture for secure function evaluation, which receives 's' garbled circuits (GCs) and commitments, requests a check-set of s/2 GCs, and verifies it, the constructor's response to the request to reveal the check-set includes commitments that are entirely *within* the revealed check-set. The revealed commitments relate only to the garbled circuits included in the check-set.
16. The article of manufacture of claim 12 , wherein, for a given circuit I, the commitment to a given pair (I,J) is opened only if circuit J is in the same set as I.
In the article of manufacture for secure function evaluation, which receives 's' garbled circuits (GCs) and commitments, requests a check-set of s/2 GCs, and verifies it, the commitment to a given pair of circuits (I, J) is "opened" (revealed and used for verification) *only* if circuit J is in the same set as circuit I. This means a commitment is only revealed if both circuits it relates to are either both in the check-set or both outside the check-set.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
January 31, 2011
July 16, 2013
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.